I’ve been configuring a new gateway server for use in my basement data center (home lab). I had recently read about DCO and FreeBSD’s opvn device.
DCO (Data Channel Offload) let’s OpenVPN use the encryption features available in many CPUs. In my previous post, I checked; my OpenVPN server and most of the clients are DCO-capable.
I decided to try it.
I found documentation lacking as to how to use it. I took advice from mzar on #FreeBSD on Libera.chat.
They said:
“kernel module has to be loaded, network topology set to subnet, compression disabled, openvpn process run as root and you will have it.”
In this post:
- FreeBSD 14.2 (on the gateway, where OpenVPN is running)
- OpenVPN 2.6.13
- FreeBSD 14.1 (on the openvpn client, running iperf)
- iperf3 3.18 (on the openvpn client for testing)
- iperf 3.8.1 (on my laptop, Apple version iperf3-117 (cJSON 1.7.13)
- Viscosity 1.11.4 (1702) – OpenVPN client for OSX
About the tests
When testing, the iperf server was running on the host r730-03, a Dell R730 in my basement.
My laptop was connected via the VPN into the basement home lab.
Initially the laptop was connected wirelessly. Later, it was connected via a network cable. In both cases, Viscosity was used to connect to my OpenVPN server running on my 4-ATOM CPU (named gw01).
On the wired connection, the laptop is using a 1Gbit/second switch.
I saved the server side of the tests in this gist.
kernel module has to be loaded
[19:02 gw01 dvl ~] % kldstat | grep vpn 7 1 0xffffffff8333b000 d848 if_ovpn.ko
I had this line in /boot/loader.conf.local (/boot/loader.conf will do as well):
if_ovpn_load="YES"
I had rebooted since adding that line, but you can load that dynamically via kldload if_ovpn (see man 4 ovpn)
network topology set to subnet
[19:03 gw01 dvl ~] % sudo grep topology /usr/local/etc/openvpn/openvpn.conf topology subnet
compression disabled
[19:03 gw01 dvl ~] % sudo grep compression /usr/local/etc/openvpn/openvpn.conf allow-compression no
openvpn process run as root
[19:04 gw01 dvl ~] % sudo grep user /usr/local/etc/openvpn/openvpn.conf [19:04 gw01 dvl ~] % sudo service openvpn start Starting openvpn. [20:16 gw01 dvl ~] % ps auwwx | grep openvpn root 6770 0.1 0.0 23508 10588 - Ss 19:28 1:09.54 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config /usr/local/etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid
and you will have it
Here is my test before making the above changes. FYI, I issued this command on the server at 10.55.0.143: iperf3 -s.
This is the command issued on my laptop, which was connected over WIFI:
----------------------------------------------------------- Server listening on 5201 (test #3) ----------------------------------------------------------- Accepted connection from 10.8.1.180, port 62652 [ 5] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 62653 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.06 sec 5.88 MBytes 46.4 Mbits/sec [ 5] 1.06-2.06 sec 8.75 MBytes 73.7 Mbits/sec [ 5] 2.06-3.02 sec 8.25 MBytes 72.3 Mbits/sec [ 5] 3.02-4.06 sec 10.0 MBytes 80.2 Mbits/sec [ 5] 4.06-5.06 sec 9.38 MBytes 78.8 Mbits/sec [ 5] 5.06-6.06 sec 8.38 MBytes 70.5 Mbits/sec [ 5] 6.06-7.06 sec 9.25 MBytes 77.4 Mbits/sec [ 5] 7.06-8.06 sec 9.12 MBytes 76.5 Mbits/sec [ 5] 8.06-9.06 sec 9.00 MBytes 75.5 Mbits/sec [ 5] 9.06-10.01 sec 8.50 MBytes 75.1 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.01 sec 86.5 MBytes 72.5 Mbits/sec receiver -----------------------------------------------------------
Now, after:
----------------------------------------------------------- Server listening on 5201 (test #1) ----------------------------------------------------------- Accepted connection from 10.8.1.180, port 63109 [ 5] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63110 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.06 sec 14.1 MBytes 112 Mbits/sec [ 5] 1.06-2.06 sec 13.9 MBytes 117 Mbits/sec [ 5] 2.06-3.06 sec 12.4 MBytes 104 Mbits/sec [ 5] 3.06-4.06 sec 14.2 MBytes 120 Mbits/sec [ 5] 4.06-5.05 sec 14.5 MBytes 122 Mbits/sec [ 5] 5.05-6.01 sec 13.0 MBytes 114 Mbits/sec [ 5] 6.01-7.06 sec 14.2 MBytes 114 Mbits/sec [ 5] 7.06-8.01 sec 11.8 MBytes 104 Mbits/sec [ 5] 8.01-9.02 sec 13.8 MBytes 114 Mbits/sec [ 5] 9.02-10.01 sec 14.1 MBytes 120 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.01 sec 136 MBytes 114 Mbits/sec receiver
Let’s do some more wifi testing
Then I did some parallel tests:
----------------------------------------------------------- Server listening on 5201 (test #7) ----------------------------------------------------------- Accepted connection from 10.8.1.180, port 63176 [ 5] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63177 [ 8] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63178 [ 10] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63179 [ 12] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63180 [ 14] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63181 [ 16] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63182 [ 18] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63183 [ 20] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63184 [ 22] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63185 [ 24] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63186 [ 26] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63187 [ 28] local 10.55.0.143 port 5201 connected to 10.8.1.180 port 63188 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.06 sec 1.62 MBytes 12.8 Mbits/sec [ 8] 0.00-1.06 sec 1.38 MBytes 10.8 Mbits/sec [ 10] 0.00-1.06 sec 1.50 MBytes 11.8 Mbits/sec [ 12] 0.00-1.06 sec 1.75 MBytes 13.8 Mbits/sec [ 14] 0.00-1.06 sec 1.00 MBytes 7.89 Mbits/sec [ 16] 0.00-1.06 sec 1.88 MBytes 14.8 Mbits/sec [ 18] 0.00-1.06 sec 1.50 MBytes 11.8 Mbits/sec [ 20] 0.00-1.06 sec 1.38 MBytes 10.8 Mbits/sec [ 22] 0.00-1.06 sec 1.25 MBytes 9.86 Mbits/sec [ 24] 0.00-1.06 sec 2.12 MBytes 16.8 Mbits/sec [ 26] 0.00-1.06 sec 1.00 MBytes 7.89 Mbits/sec [ 28] 0.00-1.06 sec 1.50 MBytes 11.8 Mbits/sec [SUM] 0.00-1.06 sec 17.9 MBytes 141 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 1.06-2.06 sec 1.50 MBytes 12.6 Mbits/sec [ 8] 1.06-2.06 sec 1.12 MBytes 9.47 Mbits/sec [ 10] 1.06-2.06 sec 1.62 MBytes 13.7 Mbits/sec [ 12] 1.06-2.06 sec 1.25 MBytes 10.5 Mbits/sec [ 14] 1.06-2.06 sec 1.38 MBytes 11.6 Mbits/sec [ 16] 1.06-2.06 sec 1.00 MBytes 8.42 Mbits/sec [ 18] 1.06-2.06 sec 1.12 MBytes 9.47 Mbits/sec [ 20] 1.06-2.06 sec 1.62 MBytes 13.7 Mbits/sec [ 22] 1.06-2.06 sec 1.75 MBytes 14.7 Mbits/sec [ 24] 1.06-2.06 sec 1.38 MBytes 11.6 Mbits/sec [ 26] 1.06-2.06 sec 1.75 MBytes 14.7 Mbits/sec [ 28] 1.06-2.06 sec 1.25 MBytes 10.5 Mbits/sec [SUM] 1.06-2.06 sec 16.8 MBytes 141 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 2.06-3.00 sec 1.75 MBytes 15.6 Mbits/sec [ 8] 2.06-3.00 sec 1.25 MBytes 11.1 Mbits/sec [ 10] 2.06-3.00 sec 1.50 MBytes 13.4 Mbits/sec [ 12] 2.06-3.00 sec 1.50 MBytes 13.4 Mbits/sec [ 14] 2.06-3.00 sec 1.38 MBytes 12.3 Mbits/sec [ 16] 2.06-3.00 sec 1.50 MBytes 13.4 Mbits/sec [ 18] 2.06-3.00 sec 1.12 MBytes 10.0 Mbits/sec [ 20] 2.06-3.00 sec 1.50 MBytes 13.4 Mbits/sec [ 22] 2.06-3.00 sec 1.75 MBytes 15.6 Mbits/sec [ 24] 2.06-3.00 sec 1.38 MBytes 12.3 Mbits/sec [ 26] 2.06-3.00 sec 1.50 MBytes 13.4 Mbits/sec [ 28] 2.06-3.00 sec 1.25 MBytes 11.1 Mbits/sec [SUM] 2.06-3.00 sec 17.4 MBytes 155 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 3.00-4.00 sec 1.25 MBytes 10.5 Mbits/sec [ 8] 3.00-4.00 sec 1.38 MBytes 11.5 Mbits/sec [ 10] 3.00-4.00 sec 1.50 MBytes 12.5 Mbits/sec [ 12] 3.00-4.00 sec 1.25 MBytes 10.5 Mbits/sec [ 14] 3.00-4.00 sec 1.25 MBytes 10.5 Mbits/sec [ 16] 3.00-4.00 sec 1.62 MBytes 13.6 Mbits/sec [ 18] 3.00-4.00 sec 1.62 MBytes 13.6 Mbits/sec [ 20] 3.00-4.00 sec 1.25 MBytes 10.5 Mbits/sec [ 22] 3.00-4.00 sec 1.62 MBytes 13.6 Mbits/sec [ 24] 3.00-4.00 sec 1.25 MBytes 10.5 Mbits/sec [ 26] 3.00-4.00 sec 1.50 MBytes 12.5 Mbits/sec [ 28] 3.00-4.00 sec 1.62 MBytes 13.6 Mbits/sec [SUM] 3.00-4.00 sec 17.1 MBytes 143 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 4.00-5.03 sec 1.25 MBytes 10.2 Mbits/sec [ 8] 4.00-5.03 sec 1.88 MBytes 15.3 Mbits/sec [ 10] 4.00-5.03 sec 1.38 MBytes 11.2 Mbits/sec [ 12] 4.00-5.03 sec 1.50 MBytes 12.2 Mbits/sec [ 14] 4.00-5.03 sec 1.25 MBytes 10.2 Mbits/sec [ 16] 4.00-5.03 sec 1.62 MBytes 13.2 Mbits/sec [ 18] 4.00-5.03 sec 1.38 MBytes 11.2 Mbits/sec [ 20] 4.00-5.03 sec 1.38 MBytes 11.2 Mbits/sec [ 22] 4.00-5.03 sec 1.38 MBytes 11.2 Mbits/sec [ 24] 4.00-5.03 sec 1.38 MBytes 11.2 Mbits/sec [ 26] 4.00-5.03 sec 1.75 MBytes 14.2 Mbits/sec [ 28] 4.00-5.03 sec 1.12 MBytes 9.15 Mbits/sec [SUM] 4.00-5.03 sec 17.2 MBytes 140 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 5.03-6.03 sec 1.62 MBytes 13.6 Mbits/sec [ 8] 5.03-6.03 sec 1.25 MBytes 10.5 Mbits/sec [ 10] 5.03-6.03 sec 1.75 MBytes 14.7 Mbits/sec [ 12] 5.03-6.03 sec 1.62 MBytes 13.6 Mbits/sec [ 14] 5.03-6.03 sec 1.25 MBytes 10.5 Mbits/sec [ 16] 5.03-6.03 sec 1.75 MBytes 14.7 Mbits/sec [ 18] 5.03-6.03 sec 1.12 MBytes 9.44 Mbits/sec [ 20] 5.03-6.03 sec 1.62 MBytes 13.6 Mbits/sec [ 22] 5.03-6.03 sec 1.25 MBytes 10.5 Mbits/sec [ 24] 5.03-6.03 sec 1.62 MBytes 13.6 Mbits/sec [ 26] 5.03-6.03 sec 1.62 MBytes 13.6 Mbits/sec [ 28] 5.03-6.03 sec 1.88 MBytes 15.7 Mbits/sec [SUM] 5.03-6.03 sec 18.4 MBytes 154 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 6.03-7.04 sec 1.62 MBytes 13.6 Mbits/sec [ 8] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 10] 6.03-7.04 sec 1.25 MBytes 10.5 Mbits/sec [ 12] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 14] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 16] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 18] 6.03-7.04 sec 1.38 MBytes 11.5 Mbits/sec [ 20] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 22] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 24] 6.03-7.04 sec 1.25 MBytes 10.5 Mbits/sec [ 26] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [ 28] 6.03-7.04 sec 1.50 MBytes 12.5 Mbits/sec [SUM] 6.03-7.04 sec 17.5 MBytes 146 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 7.04-8.06 sec 1.75 MBytes 14.3 Mbits/sec [ 8] 7.04-8.06 sec 1.38 MBytes 11.3 Mbits/sec [ 10] 7.04-8.06 sec 896 KBytes 7.17 Mbits/sec [ 12] 7.04-8.06 sec 1.75 MBytes 14.3 Mbits/sec [ 14] 7.04-8.06 sec 1.00 MBytes 8.19 Mbits/sec [ 16] 7.04-8.06 sec 1.88 MBytes 15.4 Mbits/sec [ 18] 7.04-8.06 sec 1.50 MBytes 12.3 Mbits/sec [ 20] 7.04-8.06 sec 1.38 MBytes 11.3 Mbits/sec [ 22] 7.04-8.06 sec 1.25 MBytes 10.2 Mbits/sec [ 24] 7.04-8.06 sec 2.00 MBytes 16.4 Mbits/sec [ 26] 7.04-8.06 sec 1.50 MBytes 12.3 Mbits/sec [ 28] 7.04-8.06 sec 896 KBytes 7.17 Mbits/sec [SUM] 7.04-8.06 sec 17.1 MBytes 140 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 8.06-9.06 sec 1.00 MBytes 8.40 Mbits/sec [ 8] 8.06-9.06 sec 1.12 MBytes 9.45 Mbits/sec [ 10] 8.06-9.06 sec 1.50 MBytes 12.6 Mbits/sec [ 12] 8.06-9.06 sec 1.62 MBytes 13.6 Mbits/sec [ 14] 8.06-9.06 sec 1.50 MBytes 12.6 Mbits/sec [ 16] 8.06-9.06 sec 1.38 MBytes 11.5 Mbits/sec [ 18] 8.06-9.06 sec 1.12 MBytes 9.45 Mbits/sec [ 20] 8.06-9.06 sec 1.38 MBytes 11.5 Mbits/sec [ 22] 8.06-9.06 sec 1.25 MBytes 10.5 Mbits/sec [ 24] 8.06-9.06 sec 1.25 MBytes 10.5 Mbits/sec [ 26] 8.06-9.06 sec 1.38 MBytes 11.5 Mbits/sec [ 28] 8.06-9.06 sec 1.25 MBytes 10.5 Mbits/sec [SUM] 8.06-9.06 sec 15.8 MBytes 132 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 9.06-10.01 sec 1.50 MBytes 13.3 Mbits/sec [ 8] 9.06-10.01 sec 1.00 MBytes 8.85 Mbits/sec [ 10] 9.06-10.01 sec 1.50 MBytes 13.3 Mbits/sec [ 12] 9.06-10.01 sec 1.38 MBytes 12.2 Mbits/sec [ 14] 9.06-10.01 sec 1.62 MBytes 14.4 Mbits/sec [ 16] 9.06-10.01 sec 1.38 MBytes 12.2 Mbits/sec [ 18] 9.06-10.01 sec 1.38 MBytes 12.2 Mbits/sec [ 20] 9.06-10.01 sec 1.25 MBytes 11.1 Mbits/sec [ 22] 9.06-10.01 sec 1.00 MBytes 8.85 Mbits/sec [ 24] 9.06-10.01 sec 1.00 MBytes 8.85 Mbits/sec [ 26] 9.06-10.01 sec 1.50 MBytes 13.3 Mbits/sec [ 28] 9.06-10.01 sec 1.50 MBytes 13.3 Mbits/sec [SUM] 9.06-10.01 sec 16.0 MBytes 142 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.01 sec 14.9 MBytes 12.5 Mbits/sec receiver [ 8] 0.00-10.01 sec 13.2 MBytes 11.1 Mbits/sec receiver [ 10] 0.00-10.01 sec 14.4 MBytes 12.0 Mbits/sec receiver [ 12] 0.00-10.01 sec 15.1 MBytes 12.7 Mbits/sec receiver [ 14] 0.00-10.01 sec 13.1 MBytes 11.0 Mbits/sec receiver [ 16] 0.00-10.01 sec 15.5 MBytes 13.0 Mbits/sec receiver [ 18] 0.00-10.01 sec 13.2 MBytes 11.1 Mbits/sec receiver [ 20] 0.00-10.01 sec 14.2 MBytes 11.9 Mbits/sec receiver [ 22] 0.00-10.01 sec 14.0 MBytes 11.7 Mbits/sec receiver [ 24] 0.00-10.01 sec 14.6 MBytes 12.3 Mbits/sec receiver [ 26] 0.00-10.01 sec 15.0 MBytes 12.6 Mbits/sec receiver [ 28] 0.00-10.01 sec 13.8 MBytes 11.5 Mbits/sec receiver [SUM] 0.00-10.01 sec 171 MBytes 143 Mbits/sec receiver
143 Mbits/sec over 12 parallel tests.
What about wired
After some reconfiguration, I connected my laptop over a wired connection and tried again.
[16:06 pro04 dvl ~] % iperf3-darwin -c r730-03 Connecting to host r730-03, port 5201 [ 7] local 10.8.1.180 port 63962 connected to 10.55.0.143 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd RTT [ 7] 0.00-1.00 sec 27.7 MBytes 232 Mbits/sec 0 436 KBytes 8ms [ 7] 1.00-2.00 sec 27.7 MBytes 232 Mbits/sec 0 436 KBytes 9ms [ 7] 2.00-3.00 sec 27.1 MBytes 227 Mbits/sec 0 436 KBytes 7ms [ 7] 3.00-4.00 sec 27.8 MBytes 233 Mbits/sec 0 436 KBytes 8ms [ 7] 4.00-5.00 sec 27.9 MBytes 234 Mbits/sec 0 538 KBytes 8ms [ 7] 5.00-6.00 sec 27.9 MBytes 234 Mbits/sec 0 538 KBytes 8ms [ 7] 6.00-7.00 sec 28.0 MBytes 235 Mbits/sec 0 538 KBytes 8ms [ 7] 7.00-8.00 sec 27.9 MBytes 234 Mbits/sec 0 538 KBytes 8ms [ 7] 8.00-9.00 sec 27.7 MBytes 233 Mbits/sec 0 538 KBytes 8ms [ 7] 9.00-10.00 sec 28.1 MBytes 236 Mbits/sec 0 538 KBytes 6ms - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 7] 0.00-10.00 sec 278 MBytes 233 Mbits/sec 0 sender [ 7] 0.00-10.00 sec 278 MBytes 233 Mbits/sec receiver iperf Done.
That seems a decent change.
EDIT 2025-03-23 – NOTE: The speed improvements shown here benefit both the client and the server. The tests I ran were one client talking to a service behind the VPN.
The configurations
Added 2025-03-24.
The server:
[15:20 gw01 dvl ~] % sudo cat /usr/local/etc/openvpn/openvpn.conf # this is the device used dev tun2 verb 4 dev-type tun writepid /var/run/openvpn_server2.pid script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 # these don't do much. I'm sure I can get rid of them client-connect /usr/local/sbin/serverlocal-events.sh client-disconnect /usr/local/sbin/serverlocal-events.sh # Enable TLS and assume server role during TLS handshake tls-server # this configures OpenVPN into server mode # openvpn_server_ip4 is the IP address the server takes for itself server 10.8.1.0 255.255.255.0 # All the client specific configurations client-config-dir /usr/local/etc/openvpn/ccd # server routes push "route 10.55.0.0 255.255.255.0" # These are used by the laptops / Viscosity push "dhcp-option DNS 10.55.0.1" push "dhcp-option DNS 10.55.0.73" push "dhcp-option DNS 10.55.0.13" # template all the things ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/dh2048.pem # secret key, same value on client and server tls-auth /usr/local/etc/openvpn/keys/ta.key 0 data-ciphers AES-256-GCM:AES-128-GCM:ChaCha20-Poly1305 data-ciphers-fallback ChaCha20-Poly1305 allow-compression no topology subnet # custom options section of pfSense configuration starts here: # bunch of endpoints # Client routes # # tallboy # route 10.70.0.0 255.255.255.0 push "route 10.70.0.0 255.255.255.0" # other client routes redacted here. # keep tun around during restart persist-tun # short status file status /var/run/openvpn-status.log # replay protection sliding-window size and time window replay-window 128 60 # From mzar #FreeBSD on Libera.chat on 2025-03-10 tun-mtu 1400 # Let peers know we're going away # this encourages them to reconnect right away instead of waiting for a timeout explicit-exit-notify 1 client-to-client
The config for a client:
[15:23 aws-1 dan ~] % sudo cat /usr/local/etc/openvpn/openvpn.conf client dev tun proto udp remote foo.example.net 1194 resolv-retry infinite nobind #user openvpn #group openvpn persist-key persist-tun pull remote-cert-tls server tls-auth /usr/local/etc/openvpn/keys/ta.key 1 ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/client.crt key /usr/local/etc/openvpn/keys/client.key verb 4 cipher AES-256-CBC auth SHA256
